44

Im trying to run google-chrome --headless inside a docker container as a non-root user to execute some tests. Everytime Im trying to start it, it throws following error:

google-chrome --headless

Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted Failed to generate minidump.Illegal instruction

Its a docker container running in k8s cluster. Operating system is Ubuntu 16.04.

Namespaces are enabled, user is non-root

I do not want to use --no-sandbox option as this is a security issue.

I cannot use docker run --security-opt=syscomp:unconfined as its being deployed using helm.

Is there a system permission missing that I need to setup for chrome within the container itself?

Johannes Buchholz
  • 1,857
  • 19
  • 34
novak100
  • 1,259
  • 1
  • 12
  • 20

2 Answers2

55

After researching extensively internet I think I found the answer:

Sandboxing  For security reasons, Google Chrome is unable to provide sandboxing when it is running in the container-based environment. To use Chrome in the container-based environment, pass the --no-sandbox flag to the chrome executable

So it looks like there is no better solution than --no-sandbox for me, even though its not being very secure, there are people on the internet claiming that it is still safe to use "--no-sandbox" as its running within container which is extra protected any way.

novak100
  • 1,259
  • 1
  • 12
  • 20
  • 2
    If you needed i found a way, see this https://stackoverflow.com/questions/62345581/node-js-puppeteer-on-docker-no-usable-sandbox – Riccardo Manzan Jun 15 '20 at 10:36
  • even in vendor dir typed by developer: `sandbox mode - useful if you want to use chrome headless inside docker` so add "noSandbox" and use docker – Vladimir Ch Jun 29 '23 at 14:06
12

Although this doesn't answer your question, since it you can't set security-opt, this is still a good solution for other people with a similar problem finding the question.

Download this chrome.json file, which contains a custom security profile.

Use the security profile with --security-opt seccomp=path/to/chrome.json or with docker-compose:

# docker-compose.yml
version: '3'
services:
  <service name>:
    #
    # the service configuration
    #
    security_opt:
      - seccomp=<path to downloaded chrome.json>

see https://stackoverflow.com/a/53975412/8678740

Update

This can now be done with --cap-add=SYS_ADMIN or in docker-compose.yml with:

# docker-compose.yml
services:
  <service name>:
    #
    # the service configuration
    #
    cap_add:
      - SYS_ADMIN

see: https://pptr.dev/guides/docker#usage

Johannes Buchholz
  • 1,857
  • 19
  • 34